<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Built-in users | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'built-in-users.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/built-in-users.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/built-in-users.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/built-in-users.html" rel="nofollow" target="_blank">../en/built-in-users.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="setting-up-authentication.html">User authentication</a></span>
»
<span class="breadcrumb-node">Built-in users</span>
</div>
<div class="navheader">
<span class="prev">
<a href="setting-up-authentication.html">« User authentication</a>
</span>
<span class="next">
<a href="internal-users.html">Internal users »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="built-in-users"></a>Built-in users<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>The Elastic Stack security features provide built-in user credentials to help you get
up and running. These users have a fixed set of privileges and cannot be
authenticated until their passwords have been set. The <code class="literal">elastic</code> user can be
used to <a class="xref" href="built-in-users.html#set-built-in-user-passwords" title="Setting built-in user passwords">set all of the built-in user passwords</a>.</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">elastic</code>
</span>
</dt>
<dd>
A built-in <a class="xref" href="built-in-roles.html" title="Built-in roles">superuser</a>.
</dd>
<dt>
<span class="term">
<code class="literal">kibana</code>
</span>
</dt>
<dd>
The user Kibana uses to connect and communicate with Elasticsearch.
</dd>
<dt>
<span class="term">
<code class="literal">logstash_system</code>
</span>
</dt>
<dd>
The user Logstash uses when storing monitoring information in Elasticsearch.
</dd>
<dt>
<span class="term">
<code class="literal">beats_system</code>
</span>
</dt>
<dd>
The user the Beats use when storing monitoring information in Elasticsearch.
</dd>
<dt>
<span class="term">
<code class="literal">apm_system</code>
</span>
</dt>
<dd>
The user the APM server uses when storing monitoring information in Elasticsearch.
</dd>
<dt>
<span class="term">
<code class="literal">remote_monitoring_user</code>
</span>
</dt>
<dd>
The user Metricbeat uses when collecting and
storing monitoring information in Elasticsearch. It has the <code class="literal">remote_monitoring_agent</code> and
<code class="literal">remote_monitoring_collector</code> built-in roles.
</dd>
</dl>
</div>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>The built-in users serve specific purposes and are not intended for general
use. In particular, do not use the <code class="literal">elastic</code> superuser unless full access to
the cluster is required. Instead, create users that have the minimum necessary
roles or privileges for their activities.</p>
</div>
</div>
<h4>
<a id="built-in-user-explanation"></a>How the built-in users work<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>These built-in users are stored in a special <code class="literal">.security</code> index, which is managed
by Elasticsearch. If a built-in user is disabled or its password
changes, the change is automatically reflected on each node in the cluster. If
your <code class="literal">.security</code> index is deleted or restored from a snapshot, however, any
changes you have applied are lost.</p>
<p>Although they share the same API, the built-in users are separate and distinct
from users managed by the <a class="xref" href="native-realm.html" title="Native user authentication">native realm</a>. Disabling the native
realm will not have any effect on the built-in users. The built-in users can
be disabled individually, using the
<a href="security-api-disable-user.html" class="ulink" target="_top">disable users API</a>.</p>
<h4>
<a id="bootstrap-elastic-passwords"></a>The Elastic bootstrap password<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>When you install Elasticsearch, if the <code class="literal">elastic</code> user does not already have a password,
it uses a default bootstrap password. The bootstrap password is a transient
password that enables you to run the tools that set all the built-in user passwords.</p>
<p>By default, the bootstrap password is derived from a randomized <code class="literal">keystore.seed</code>
setting, which is added to the keystore during installation. You do not need
to know or change this bootstrap password. If you have defined a
<code class="literal">bootstrap.password</code> setting in the keystore, however, that value is used instead.
For more information about interacting with the keystore, see
<a href="secure-settings.html" class="ulink" target="_top">Secure Settings</a>.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>After you <a class="xref" href="built-in-users.html#set-built-in-user-passwords" title="Setting built-in user passwords">set passwords for the built-in users</a>,
in particular for the <code class="literal">elastic</code> user, there is no further use for the bootstrap
password.</p>
</div>
</div>
<h4>
<a id="set-built-in-user-passwords"></a>Setting built-in user passwords<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>You must set the passwords for all built-in users.</p>
<p>The <code class="literal">elasticsearch-setup-passwords</code> tool is the simplest method to set the
built-in users' passwords for the first time. It uses the <code class="literal">elastic</code> user’s
bootstrap password to run user management API requests. For example, you can run
the command in an "interactive" mode, which prompts you to enter new passwords
for the <code class="literal">elastic</code>, <code class="literal">kibana</code>, <code class="literal">logstash_system</code>, <code class="literal">beats_system</code>, <code class="literal">apm_system</code>,
and <code class="literal">remote_monitoring_user</code> users:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-setup-passwords interactive</pre>
</div>
<p>For more information about the command options, see
<a href="setup-passwords.html" class="ulink" target="_top">elasticsearch-setup-passwords</a>.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>After you set a password for the <code class="literal">elastic</code> user, the bootstrap
password is no longer valid; you cannot run the <code class="literal">elasticsearch-setup-passwords</code>
command a second time.</p>
</div>
</div>
<p>Alternatively, you can set the initial passwords for the built-in users by using
the <span class="strong strong"><strong>Management &gt; Users</strong></span> page in Kibana or the
<a href="security-api-change-password.html" class="ulink" target="_top">Change Password API</a>. These methods are
more complex. You must supply the <code class="literal">elastic</code> user and its bootstrap password to
log into Kibana or run the API. This requirement means that you cannot use the
default bootstrap password that is derived from the <code class="literal">keystore.seed</code> setting.
Instead, you must explicitly set a <code class="literal">bootstrap.password</code> setting in the keystore
before you start Elasticsearch. For example, the following command prompts you to enter a
new bootstrap password:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-keystore add "bootstrap.password"</pre>
</div>
<p>You can then start Elasticsearch and Kibana and use the <code class="literal">elastic</code> user and bootstrap
password to log into Kibana and change the passwords. Alternatively, you can
submit Change Password API requests for each built-in user. These methods are
better suited for changing your passwords after the initial setup is complete,
since at that point the bootstrap password is no longer required.</p>
<h4>
<a id="add-built-in-user-kibana"></a>Adding built-in user passwords to Kibana<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>After the <code class="literal">kibana</code> user password is set, you need to update the Kibana server
with the new password by setting <code class="literal">elasticsearch.password</code> in the <code class="literal">kibana.yml</code>
configuration file:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">elasticsearch.password: kibanapassword</pre>
</div>
<p>See <a href="https://www.elastic.co/guide/en/kibana/7.7/using-kibana-with-security.html" class="ulink" target="_top">Configuring security in Kibana</a>.</p>
<h4>
<a id="add-built-in-user-logstash"></a>Adding built-in user passwords to Logstash<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>The <code class="literal">logstash_system</code> user is used internally within Logstash when
monitoring is enabled for Logstash.</p>
<p>To enable this feature in Logstash, you need to update the Logstash
configuration with the new password by setting <code class="literal">xpack.monitoring.elasticsearch.password</code> in
the <code class="literal">logstash.yml</code> configuration file:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.monitoring.elasticsearch.password: logstashpassword</pre>
</div>
<p>If you have upgraded from an older version of Elasticsearch, the <code class="literal">logstash_system</code> user
may have defaulted to <em>disabled</em> for security reasons. Once the password has
been changed, you can enable the user via the following API call:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">PUT _security/user/logstash_system/_enable</pre>
</div>
<div class="console_widget" data-snippet="snippets/1218.console"></div>
<p>See <a href="https://www.elastic.co/guide/en/logstash/7.7/ls-security.html#ls-monitoring-user" class="ulink" target="_top">Configuring credentials for Logstash monitoring</a>.</p>
<h4>
<a id="add-built-in-user-beats"></a>Adding built-in user passwords to Beats<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>The <code class="literal">beats_system</code> user is used internally within Beats when monitoring is
enabled for Beats.</p>
<p>To enable this feature in Beats, you need to update the configuration for each
of your beats to reference the correct username and password. For example:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.monitoring.elasticsearch.username: beats_system
xpack.monitoring.elasticsearch.password: beatspassword</pre>
</div>
<p>For example, see <a href="https://www.elastic.co/guide/en/beats/metricbeat/7.7/monitoring.html" class="ulink" target="_top">Monitoring Metricbeat</a>.</p>
<p>The <code class="literal">remote_monitoring_user</code> is used when Metricbeat collects and stores
monitoring data for the Elastic Stack. See <a class="xref" href="monitoring-production.html" title="Monitoring in a production environment"><em>Monitoring in a production environment</em></a>.</p>
<p>If you have upgraded from an older version of Elasticsearch, then you may not have set a
password for the <code class="literal">beats_system</code> or <code class="literal">remote_monitoring_user</code> users. If this is
the case, then you should use the <span class="strong strong"><strong>Management &gt; Users</strong></span> page in Kibana or the
<a href="security-api-change-password.html" class="ulink" target="_top">Change Password API</a> to set a password
for these users.</p>
<h4>
<a id="add-built-in-user-apm"></a>Adding built-in user passwords to APM<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<p>The <code class="literal">apm_system</code> user is used internally within APM when monitoring is enabled.</p>
<p>To enable this feature in APM, you need to update the
<a href="https://www.elastic.co/guide/en/apm/server/7.7/configuring-howto-apm-server.html" class="ulink" target="_top">APM configuration file</a> to
reference the correct username and password. For example:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.monitoring.elasticsearch.username: apm_system
xpack.monitoring.elasticsearch.password: apmserverpassword</pre>
</div>
<p>See <a href="https://www.elastic.co/guide/en/apm/server/7.7/monitoring.html" class="ulink" target="_top">Monitoring APM Server</a>.</p>
<p>If you have upgraded from an older version of Elasticsearch, then you may not have set a
password for the <code class="literal">apm_system</code> user. If this is the case,
then you should use the <span class="strong strong"><strong>Management &gt; Users</strong></span> page in Kibana or the
<a href="security-api-change-password.html" class="ulink" target="_top">Change Password API</a> to set a password
for these users.</p>
<h4>
<a id="disabling-default-password"></a>Disabling default password functionality<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/built-in-users.asciidoc">edit</a>
</h4>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>This setting is deprecated. The elastic user no longer has a default password.
The password must be set before the user can be used.
See <a class="xref" href="built-in-users.html#bootstrap-elastic-passwords" title="The Elastic bootstrap password">The Elastic bootstrap password</a>.</p>
</div>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="setting-up-authentication.html">« User authentication</a>
</span>
<span class="next">
<a href="internal-users.html">Internal users »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>